Pre-processing system for minimizing application-level denial-of-service in a multi-tenant system

ABSTRACT

Denial-of-service attacks are prevented or mitigated in a cloud compute environment, such as a multi-tenant, collaborative SaaS system. This is achieved by providing a mechanism by which characterization of “legitimate” behavior is defined for tenant applications or application classes, preferably along with actions to be taken in the event a request to execute an application is anticipated to exceed defined workflow limits. A set of application profiles are generated. Typically, a profile comprises information, such as a request defined by one or more request variables, one or more “constraints,” one or more “request mappings,” and one or more “actions.” A constraint is a maximum permitted workload for the application. A request mapping maps a request variable to the constraint, either directly or indirectly. The profile information defines how a request is mapped to a workload to determine whether the request is in policy or, if not, what action to take.

CROSS-REFERENCE TO RELATED APPLICATION

This application is related to U.S. Ser. No. 14/148,305, filed Jan. 6,2014, titled “Preventing application-level denial-of-service in amulti-tenant system.”

BACKGROUND OF THE INVENTION

Technical Field

This disclosure relates generally to securing information in a cloudcomputing or other shared deployment environment wherein disparateparties share Information Technology (IT) resources.

Background of the Related Art

An emerging information technology (IT) delivery model is cloudcomputing, by which shared resources, software and information areprovided over the Internet to computers and other devices on-demand.Cloud computing can significantly reduce IT costs and complexities whileimproving workload optimization and service delivery. Cloud computeresources are typically housed in large server farms that run networkedapplications, typically using a virtualized architecture whereinapplications run inside virtual servers, or so-called “virtual machines”(VMs), that are mapped onto physical servers in a data center facility.The virtual machines typically run on top of a hypervisor, which is acontrol program that allocates physical resources to the virtualmachines. The different components may run on different subdomains indifferent physical cages in different data centers in different parts ofthe world, all running on different hardware with different proxy,gateway or session management capabilities, and different back-endtechnologies.

Multiple entities (or “tenants”) share the infrastructure. With thisapproach, a tenant's application instance is hosted and made available“as-a-service” from Internet-based resources that are accessible, e.g.,through a conventional Web browser over HTTP. A cloud computeenvironment, such as IBM SmartCloud® for Social Business (formerly knownas LotusLive), presents to the user as a single unified experience; inoperation, the end user logs-in once against a centralizedauthentication component, and then transparently signs-on (e.g., viaSAML (Security Assertion Markup Language)-based authentication andauthorization techniques) into different components of the service.

While multi-tenant, collaborative SaaS (Software-As-A-Service) systemsprovide significant advantages, the applications supported in suchinfrastructure but may be subject to denial-of-service (DoS) attacks. Asused herein, a “denial-of-service” refers to any degradation of atenant's service to a point below an acceptable response time and/ortransaction throughput rate, whether or not the attack leads to a fullrejection of service for legitimate users. A denial-of-service may occurdeliberately, namely, as a result of an intentional act, or it may occurwithout direct intention on the part of the accessor(s) (the callingclients) whose activity creates the situation.

Application denial-of-service is very difficult to combat withtraditional mechanisms for throttling DoS attacks. Thus, for example,seemingly legitimate API calls can result in a large amount of resourcesconsumed with the application to handle the request. Indeed, even arelatively small number of requests can tie up resources. As an example,a REST-based API can take a JSON payload to trigger a workflow, such ascreating activities. When the JSON payload contains many activities,each with many sub-tasks that trigger other API calls, many resourcescan be tied up processing the resulting API calls. As another example,an attacker can send compressed files that will be very large whendecompressed, thereby resulting in memory issues on the applicationserver processing them.

A denial-of-service attack in a shared tenant infrastructure can haveserious consequences. It may prevent legitimate users and usage of theservice from continuing with acceptable response time and transactionthroughput rates. Such attacks can lead to rejection of service forlegitimate users and thereby create business-impacting supportsituations.

A denial-of-service attack prevention mechanism that works by creatingprofiles for accessors, and then taking actions based on limits in suchprofiles being reached, is described in the related applicationidentified above. While that technique provides significant advantages,there remains a need for other types of denial-of-service attackprevention or mitigation in a shared, multi-tenant SaaS environment.

BRIEF SUMMARY

According to this disclosure, application requests are pre-processed todetect (and potentially mitigate) those that would otherwise result indenial-of-service attacks in a cloud compute environment, such as amulti-tenant, collaborative SaaS system. This goal is achieved byproviding a mechanism by which a generalized characterization of“legitimate” behavior is defined for each of one or more tenantapplications (or “types” of such applications), wherein the legitimatebehavior typically is defined as a mapping of application functionalityto acceptable workload (in terms of resource usage or performance). In arepresentative embodiment, a set of application “usage profiles” (or“profiles”) are generated. Typically, a profile comprises a set ofinformation, such as a “request type,” one or more “request variables,”one or more “constraints,” one or more “request mapping(s),” and one ormore “actions.” A request type defines a request associated with anapplication or application instance, one or more other requests orrequest types that may be combined with the request, and the like. Arequest variable typically defines a characteristic of a request, suchas a type of payload, a file size or type, source, time, etc. Aconstraint typically is a maximum permitted workload for theapplication. A constraint may contain some notion of time (e.g., wherethe constraint is applied across multiple requests). A “request mapping”maps a request variable to the constraint either directly or indirectly(e.g., by calculating a value that can be compared to the constraint).An action defines how the system will respond if the particularconstraint in an application profile is triggered (or fired).

Once the application profiles are defined, a pre-processing proxy (orother such computing entity) performs an analysis, preferably on eachapplication request (whether singularly, or combined with one or moreother requests), to determine if the request (or request combination)implicates any of the constraints identified in the associatedapplication profile(s). If any of the constraints are implicated (e.g.,violated), one or more actions are then taken as necessary to addresspotential violation of the constraints. An action may be delaying orthrottling the request, rejecting the request, restricting the requestfrom being combined with some other request, or the like. Bypre-processing requests in this manner, the cloud service providerallows for expected application functionality-to-acceptable workloadpatterns, but it can readily detect and mitigate or even preventrequests (or request combinations) that would otherwise cause aberrantusage of cloud resources.

The foregoing has outlined some of the more pertinent features of thedisclosed subject matter. These features should be construed to bemerely illustrative. Many other beneficial results can be attained byapplying the disclosed subject matter in a different manner or bymodifying the subject matter as will be described.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 depicts an exemplary block diagram of a distributed dataprocessing environment in which exemplary aspects of the illustrativeembodiments may be implemented;

FIG. 2 is an exemplary block diagram of a data processing system inwhich exemplary aspects of the illustrative embodiments may beimplemented;

FIG. 3 illustrates an exemplary cloud computing architecture in whichthe disclosed subject matter may be implemented;

FIG. 4 illustrates an exemplary datacenter in which thedenial-of-service attack prevention mechanism of this disclosure may beimplemented;

FIG. 5 illustrates a high-level block diagram of the basic components ofthe denial-of-service attack mechanism of this disclosure;

FIG. 6 illustrates a representative format of an application profileaccording to this disclosure;

FIG. 7 illustrates a block diagram of the pre-processing and DoS actionsub-systems according to this disclosure; and

FIG. 8 illustrates a process flow of the pre-processing and DoS actioncomponents in a representative embodiment.

DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT

With reference now to the drawings and in particular with reference toFIGS. 1-2, exemplary diagrams of data processing environments areprovided in which illustrative embodiments of the disclosure may beimplemented. It should be appreciated that FIGS. 1-2 are only exemplaryand are not intended to assert or imply any limitation with regard tothe environments in which aspects or embodiments of the disclosedsubject matter may be implemented. Many modifications to the depictedenvironments may be made without departing from the spirit and scope ofthe subject matter.

Client-Server Technologies

With reference now to the drawings, FIG. 1 depicts a pictorialrepresentation of an exemplary distributed data processing system inwhich aspects of the illustrative embodiments may be implemented.Distributed data processing system 100 may include a network ofcomputers in which aspects of the illustrative embodiments may beimplemented. The distributed data processing system 100 contains atleast one network 102, which is the medium used to provide communicationlinks between various devices and computers connected together withindistributed data processing system 100. The network 102 may includeconnections, such as wire, wireless communication links, or fiber opticcables.

In the depicted example, server 104 and server 106 are connected tonetwork 102 along with storage unit 108. In addition, clients 110, 112,and 114 are also connected to network 102. These clients 110, 112, and114 may be, for example, personal computers, network computers, or thelike. In the depicted example, server 104 provides data, such as bootfiles, operating system images, and applications to the clients 110,112, and 114. Clients 110, 112, and 114 are clients to server 104 in thedepicted example. Distributed data processing system 100 may includeadditional servers, clients, and other devices not shown.

In the depicted example, distributed data processing system 100 is theInternet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, the distributed data processing system 100 may also beimplemented to include a number of different types of networks, such asfor example, an intranet, a local area network (LAN), a wide areanetwork (WAN), or the like. As stated above, FIG. 1 is intended as anexample, not as an architectural limitation for different embodiments ofthe disclosed subject matter, and therefore, the particular elementsshown in FIG. 1 should not be considered limiting with regard to theenvironments in which the illustrative embodiments of the presentinvention may be implemented.

With reference now to FIG. 2, a block diagram of an exemplary dataprocessing system is shown in which aspects of the illustrativeembodiments may be implemented. Data processing system 200 is an exampleof a computer, such as client 110 in FIG. 1, in which computer usablecode or instructions implementing the processes for illustrativeembodiments of the disclosure may be located.

With reference now to FIG. 2, a block diagram of a data processingsystem is shown in which illustrative embodiments may be implemented.Data processing system 200 is an example of a computer, such as server104 or client 110 in FIG. 1, in which computer-usable program code orinstructions implementing the processes may be located for theillustrative embodiments. In this illustrative example, data processingsystem 200 includes communications fabric 202, which providescommunications between processor unit 204, memory 206, persistentstorage 208, communications unit 210, input/output (I/O) unit 212, anddisplay 214.

Processor unit 204 serves to execute instructions for software that maybe loaded into memory 206. Processor unit 204 may be a set of one ormore processors or may be a multi-processor core, depending on theparticular implementation. Further, processor unit 204 may beimplemented using one or more heterogeneous processor systems in which amain processor is present with secondary processors on a single chip. Asanother illustrative example, processor unit 204 may be a symmetricmulti-processor (SMP) system containing multiple processors of the sametype.

Memory 206 and persistent storage 208 are examples of storage devices. Astorage device is any piece of hardware that is capable of storinginformation either on a temporary basis and/or a permanent basis. Memory206, in these examples, may be, for example, a random access memory orany other suitable volatile or non-volatile storage device. Persistentstorage 208 may take various forms depending on the particularimplementation. For example, persistent storage 208 may contain one ormore components or devices. For example, persistent storage 208 may be ahard drive, a flash memory, a rewritable optical disk, a rewritablemagnetic tape, or some combination of the above. The media used bypersistent storage 208 also may be removable. For example, a removablehard drive may be used for persistent storage 208.

Communications unit 210, in these examples, provides for communicationswith other data processing systems or devices. In these examples,communications unit 210 is a network interface card. Communications unit210 may provide communications through the use of either or bothphysical and wireless communications links.

Input/output unit 212 allows for input and output of data with otherdevices that may be connected to data processing system 200. Forexample, input/output unit 212 may provide a connection for user inputthrough a keyboard and mouse. Further, input/output unit 212 may sendoutput to a printer. Display 214 provides a mechanism to displayinformation to a user.

Instructions for the operating system and applications or programs arelocated on persistent storage 208. These instructions may be loaded intomemory 206 for execution by processor unit 204. The processes of thedifferent embodiments may be performed by processor unit 204 usingcomputer implemented instructions, which may be located in a memory,such as memory 206. These instructions are referred to as program code,computer-usable program code, or computer-readable program code that maybe read and executed by a processor in processor unit 204. The programcode in the different embodiments may be embodied on different physicalor tangible computer-readable media, such as memory 206 or persistentstorage 208.

Program code 216 is located in a functional form on computer-readablemedia 218 that is selectively removable and may be loaded onto ortransferred to data processing system 200 for execution by processorunit 204. Program code 216 and computer-readable media 218 form computerprogram product 220 in these examples. In one example, computer-readablemedia 218 may be in a tangible form, such as, for example, an optical ormagnetic disc that is inserted or placed into a drive or other devicethat is part of persistent storage 208 for transfer onto a storagedevice, such as a hard drive that is part of persistent storage 208. Ina tangible form, computer-readable media 218 also may take the form of apersistent storage, such as a hard drive, a thumb drive, or a flashmemory that is connected to data processing system 200. The tangibleform of computer-readable media 218 is also referred to ascomputer-recordable storage media. In some instances,computer-recordable media 218 may not be removable.

Alternatively, program code 216 may be transferred to data processingsystem 200 from computer-readable media 218 through a communicationslink to communications unit 210 and/or through a connection toinput/output unit 212. The communications link and/or the connection maybe physical or wireless in the illustrative examples. Thecomputer-readable media also may take the form of non-tangible media,such as communications links or wireless transmissions containing theprogram code. The different components illustrated for data processingsystem 200 are not meant to provide architectural limitations to themanner in which different embodiments may be implemented. The differentillustrative embodiments may be implemented in a data processing systemincluding components in addition to or in place of those illustrated fordata processing system 200. Other components shown in FIG. 2 can bevaried from the illustrative examples shown. As one example, a storagedevice in data processing system 200 is any hardware apparatus that maystore data. Memory 206, persistent storage 208, and computer-readablemedia 218 are examples of storage devices in a tangible form.

In another example, a bus system may be used to implement communicationsfabric 202 and may be comprised of one or more buses, such as a systembus or an input/output bus. Of course, the bus system may be implementedusing any suitable type of architecture that provides for a transfer ofdata between different components or devices attached to the bus system.Additionally, a communications unit may include one or more devices usedto transmit and receive data, such as a modem or a network adapter.Further, a memory may be, for example, memory 206 or a cache such asfound in an interface and memory controller hub that may be present incommunications fabric 202.

Computer program code for carrying out operations of the disclosedsubject matter may be written in any combination of one or moreprogramming languages, including an object-oriented programming languagesuch as Java™, Smalltalk, C++, C#, Objective-C, or the like, andconventional procedural programming languages. Program code may bewritten in interpreted languages, such as Python. The program code mayexecute entirely on the user's computer, partly on the user's computer,as a stand-alone software package, partly on the user's computer andpartly on a remote computer, or entirely on the remote computer orserver. In the latter scenario, the remote computer may be connected tothe user's computer through any type of network, including a local areanetwork (LAN) or a wide area network (WAN), or the connection may bemade to an external computer (for example, through the Internet using anInternet Service Provider). The techniques herein may also beimplemented in non-traditional IP networks.

Those of ordinary skill in the art will appreciate that the hardware inFIGS. 1-2 may vary depending on the implementation. Other internalhardware or peripheral devices, such as flash memory, equivalentnon-volatile memory, or optical disk drives and the like, may be used inaddition to or in place of the hardware depicted in FIGS. 1-2. Also, theprocesses of the illustrative embodiments may be applied to amultiprocessor data processing system, other than the SMP systemmentioned previously, without departing from the spirit and scope of thedisclosed subject matter.

As will be seen, the techniques described herein may operate inconjunction within the standard client-server paradigm such asillustrated in FIG. 1 in which client machines communicate with anInternet-accessible Web-based portal executing on a set of one or moremachines. End users operate Internet-connectable devices (e.g., desktopcomputers, notebook computers, Internet-enabled mobile devices, or thelike) that are capable of accessing and interacting with the portal.Typically, each client or server machine is a data processing systemsuch as illustrated in FIG. 2 comprising hardware and software, andthese entities communicate with one another over a network, such as theInternet, an intranet, an extranet, a private network, or any othercommunications medium or link. A data processing system typicallyincludes one or more processors, an operating system, one or moreapplications, and one or more utilities. The applications on the dataprocessing system provide native support for Web services including,without limitation, support for HTTP, SOAP, XML, WSDL, UDDI, and WSFL,among others. Information regarding SOAP, WSDL, UDDI and WSFL isavailable from the World Wide Web Consortium (W3C), which is responsiblefor developing and maintaining these standards; further informationregarding HTTP and XML is available from Internet Engineering Task Force(IETF). Familiarity with these standards is presumed.

By way of additional background, as used herein an “assertion” providesindirect evidence of some action. Assertions may provide indirectevidence of identity, authentication, attributes, authorizationdecisions, or other information and/or operations. An authenticationassertion provides indirect evidence of authentication by an entity thatis not the authentication service but that listened to theauthentication service. As is known in the art, a Security AssertionMarkup Language (SAML) assertion is an example of a possible assertionformat that may be used with the present invention. SAML has beenpromulgated by the Organization for the Advancement of StructuredInformation Standards (OASIS), which is a non-profit, global consortium.SAML is described in “Assertions and Protocol for the OASIS SecurityAssertion Markup Language (SAML)”, Committee Specification 01, May 31,2002, as follows.

The Security Assertion Markup Language (SAML) is an XML-based frameworkfor exchanging security information. This security information isexpressed in the form of assertions about subjects, where a subject isan entity (either human or computer) that has an identity in somesecurity domain. A typical example of a subject is a person, identifiedby his or her email address in a particular Internet DNS domain.Assertions can convey information about authentication acts performed bysubjects, attributes of subjects, and authorization decisions aboutwhether subjects are allowed to access certain resources. Assertions arerepresented as XML constructs and have a nested structure, whereby asingle assertion might contain several different internal statementsabout authentication, authorization, and attributes. Note thatassertions containing authentication statements merely describe acts ofauthentication that happened previously. Assertions are issued by SAMLauthorities, namely, authentication authorities, attribute authorities,and policy decision points. SAML defines a protocol by which clients canrequest assertions from SAML authorities and get a response from them.This protocol, consisting of XML-based request and response messageformats, can be bound to many different underlying communications andtransport protocols; SAML currently defines one binding, to SOAP overHTTP. SAML authorities can use various sources of information, such asexternal policy stores and assertions that were received as input inrequests, in creating their responses. Thus, while clients alwaysconsume assertions, SAML authorities can be both producers and consumersof assertions.

The SAML specification states that an assertion is a package ofinformation that supplies one or more statements made by an issuer. SAMLallows issuers to make three different kinds of assertion statements:authentication, in which the specified subject was authenticated by aparticular means at a particular time; authorization, in which a requestto allow the specified subject to access the specified resource has beengranted or denied; and attribute, in which the specified subject isassociated with the supplied attributes.

Authentication is the process of validating a set of credentials thatare provided by a user or on behalf of a user. Authentication isaccomplished by verifying something that a user knows, something that auser has, or something that the user is, i.e. some physicalcharacteristic about the user. Something that a user knows may include ashared secret, such as a user's password, or by verifying something thatis known only to a particular user, such as a user's cryptographic key.Something that a user has may include a smartcard or hardware token.Some physical characteristic about the user might include a biometricinput, such as a fingerprint or a retinal map. It should be noted that auser is typically, but not necessarily, a natural person; a user couldbe a machine, computing device, or other type of data processing systemthat uses a computational resource. It should also be noted that a usertypically but not necessarily possesses a single unique identifier; insome scenarios, multiple unique identifiers may be associated with asingle user.

An authentication credential is a set of challenge/response informationthat is used in various authentication protocols. For example, ausername and password combination is the most familiar form ofauthentication credentials. Other forms of authentication credential mayinclude various forms of challenge/response information, Public KeyInfrastructure (PKI) certificates, smartcards, biometrics, and so forth.An authentication credential is differentiated from an authenticationassertion: an authentication credential is presented by a user as partof an authentication protocol sequence with an authentication server orservice, and an authentication assertion is a statement about thesuccessful presentation and validation of a user's authenticationcredentials, subsequently transferred between entities when necessary.

Cloud Computing Model

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models, all as more particularly described anddefined in “Draft NIST Working Definition of Cloud Computing” by PeterMell and Tim Grance, dated Oct. 7, 2009.

In particular, the following are typical Characteristics:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

The Service Models typically are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

The Deployment Models typically are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party,and it may be on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may be on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service-oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes. A representative cloud computing nodeis as illustrated in FIG. 2 above. In particular, in a cloud computingnode there is a computer system/server, which is operational withnumerous other general purpose or special purpose computing systemenvironments or configurations. Examples of well-known computingsystems, environments, and/or configurations that may be suitable foruse with computer system/server include, but are not limited to,personal computer systems, server computer systems, thin clients, thickclients, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputer systems, mainframe computersystems, and distributed cloud computing environments that include anyof the above systems or devices, and the like. Computer system/servermay be described in the general context of computer system-executableinstructions, such as program modules, being executed by a computersystem. Generally, program modules may include routines, programs,objects, components, logic, data structures, and so on that performparticular tasks or implement particular abstract data types. Computersystem/server may be practiced in distributed cloud computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network. In a distributed cloudcomputing environment, program modules may be located in both local andremote computer system storage media including memory storage devices.

Referring now to FIG. 3, by way of additional background, a set offunctional abstraction layers provided by a cloud computing environmentis shown. It should be understood in advance that the components,layers, and functions shown in FIG. 3 are intended to be illustrativeonly and embodiments of the invention are not limited thereto. Asdepicted, the following layers and corresponding functions are provided:

Hardware and software layer 300 includes hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide)

Virtualization layer 302 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients.

In one example, management layer 304 may provide the functions describedbelow. Resource provisioning provides dynamic procurement of computingresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and Pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provides pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

Workloads layer 306 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and, according to this disclosure, a denial-of-serviceattack prevention mechanism.

It is understood in advance that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the disclosed subject matter are capable of beingimplemented in conjunction with any other type of computing environmentnow known or later developed.

Thus, a representative cloud computing environment has a set of highlevel functional components that include a front end identity manager, abusiness support services (BSS) function component, an operationalsupport services (OSS) function component, and the compute cloudcomponent. The identity manager is responsible for interfacing withrequesting clients to provide identity management, and this componentmay be implemented with one or more known systems, such as the TivoliFederated Identity Manager (TFIM) that is available from IBMCorporation, of Armonk, N.Y. In appropriate circumstances TFIM may beused to provide federated single sign-on (F-SSO) to other cloudcomponents. The business support services component provides certainadministrative functions, such as billing support. The operationalsupport services component is used to provide provisioning andmanagement of the other cloud components, such as virtual machine (VM)instances. The cloud component represents the main computationalresources, which are typically a plurality of virtual machine instancesthat are used to execute a target application that is being madeavailable for access via the cloud. One or more databases are used tostore directory, log, and other working data. All of these components(included the front end identity manager) are located “within” thecloud, but this is not a requirement. In an alternative embodiment, theidentity manager may be operated externally to the cloud. The serviceprovider also may be operated externally to the cloud.

Some clouds are based upon non-traditional IP networks. Thus, forexample, a cloud may be based upon two-tier CLOS-based networks withspecial single layer IP routing using hashes of MAC addresses. Thetechniques described herein may be used in such non-traditional clouds.

By way of example only, a representative enterprise application deployedin the cloud is a client-server application such as IBM® SmartCloud® forSocial Business (formerly LotusLive), which provides a cloud-deliveredsuite of technologies that combine web conferencing, messaging, andcollaboration services with social networking capabilities in aneasy-to-use web-based environment. As a component of IBM® SmartCloud,Notes® provides a full-featured email, calendaring, contact management,and instant messaging. A user can access the service directly over theInternet in a number of ways, such as using a web browser, or a “rich”client application (such as the Notes rich client). Using this service,an enterprise places in the cloud service its email, calendar and/orcollaboration infrastructure, and a user uses the Notes client to accesshis or her email, perform a calendar operation, or facilitate an onlinecollaboration. In a representative embodiment, the Notes rich client isVersion 8.5.2 or higher.

The above example (using IBM SmartCloud) is merely representative. Thetechniques described below are not limited for use with a particularenterprise application deployed within the cloud environment.

FIG. 4 illustrates a typical IT infrastructure that supportsvirtualization of resources. For purposes of explanation, the ITdatacenter that provides shared (public) resources is the “provider” anda customer or company that uses these shared resources to host, storeand manage its data and applications (in all forms) is the “subscriber”(or “customer” or “tenant”). In FIG. 4, an example virtual machinehosting environment (alternately referred to herein as a data center or“cloud”) is illustrated. This environment comprises host machines (HVs)402 (e.g., servers or like physical machine computing devices) connectedto a physical datacenter network 404, typically via a hypervisormanagement VLAN 406. Although not depicted explicitly, typically theenvironment also includes load balancers, network data switches (e.g.,top-of-rack switches), firewalls, and the like. As shown in FIG. 4,physical servers 402 are each adapted to dynamically provide one or morevirtual machines (VMs) 408 using virtualization technology. Suchtechnology is available commercially, e.g., from VMware® or others.Server virtualization is a technique that is well-known in the art. Asdepicted, multiple VMs can be placed into a single host machine andshare the host machine's CPU, memory and other resources, therebyincreasing the utilization of an organization's data center. In thisenvironment, tenant applications 410 are hosted in network appliances412, and tenant data is stored in data stores and databases 414. Theapplications and data stores are connected to the physical datacenternetwork 404, typically via a network management/storage VLAN 416.Collectively, the virtual machines, applications and tenant datarepresent a subscriber-accessible virtualized resource management domain405. Through this domain, the subscriber's employees may access andmanage (using various role-based privileges) virtualized resources theyhave been allocated by the provider and that are backed by physical ITinfrastructure. The bottom portion of the infrastructure illustrates aprovider-accessible management domain 415. This domain comprises aprovider employee management portal 418, the BSS/OSS managementfunctions 420, various identity and access management functions 422, asecurity policy server 424, and management functions 426 to manage theserver images 428. These functions interface to the physical datacenternetwork via a management VLAN 430. The provider's employees havespecialized privileges (and perhaps specific clients/networks) fromwhich they have access to the Operational and Business Support Services(OSS/BSS) that they use to manage the IT datacenter infrastructure(e.g., hardware and software installations, configurations, monitoring,technical support, billing, and the like).

Multiple tenants share the infrastructure in a multi-tenant,collaborative SaaS system.

An “accessor” is an entity (a cloud customer or prospect, an end-user ofthe cloud customer, or a third party entity or end-user) that desiresaccess to use a cloud resource.

Preventing Application-Level Denial-of-Service Attacks

As illustrated in FIG. 5, the basic denial-of-service mechanism 500 ofthis disclosure includes three (3) primary sub-systems (or components),a profile generator sub-system (or “profile generator”) 502, apre-processing sub-system (or “pre-processing proxy”) 504, and adenial-of-service (DoS) action sub-system 506. In general, the profilegenerator 502 is a tool by which a set of application profiles 505 aredefined and stored for use by the pre-processing proxy. An “application”typically refers to a tenant application or application instance, but itmay also refer to an application programming interface (API) to such anapplication. The pre-processing proxy 504 is the mechanism that receivesapplication requests and analyzes those requests against the applicationprofiles, preferably before cloud resources are accessed and/or used torespond to those requests. Based on the request analysis, thepre-processing proxy provides information (e.g., in the form ofnotifications) that one or more of the constraints defined in theapplication profile(s) are implicated by the request(s). The DoS actionsub-system 506 comprises a set of control functions or operations thatare implemented where potential DoS requests (as indicated by thepre-processing proxy 504) are detected. When the DoS action sub-systemreceives a notification from the pre-processing proxy 504 that aconstraint in a profile has been fired, the sub-system 506 can take aspecified action, e.g., generate a warning, delay or throttle therequest, deny the request, restrict the request if combined with one ormore other specified requests, suspend access, or the like. Thus, evenas multiple accessors operate concurrently (and typically independently)with respect to their (multiple) tenant applications supported in theinfrastructure, the result is that no one tenant application or instanceends up obtaining access to sufficient cloud resources in such a mannerthat a denial-of-service can take place.

As described above, a “denial-of-service” should be broadly construed torefer to any degradation of a tenant's service to a point below anacceptable response time and/or transaction throughput rate, whether ornot the attack leads to a full rejection of service for legitimateusers. A denial-of-service may occur deliberately, namely, as a resultof an intentional act, or it may occur without direct intention on thepart of the accessor(s) whose activity creates the situation.

Without limitation, the application profile generator may be implementedas a web-based configuration tool and a set of back-end managementprocesses. The functions in the profile generator 502 and pre-processing504 and DoS action sub-systems may be shared or common, local or remote,and accessible over a network, typically via a secure link. There may beone or executing instances of the profile generator and thepre-processing proxy and the DoS action component depending onimplementation and workload. When multiple instances are executed,additional hardware and software support (e.g., load balancing, nameservers, back-end databases, etc.) may be used.

The application profiles provide a generalized characterization oflegitimate behavior for each of one or more tenant applications (or“types” of such applications), wherein the legitimate behavior typicallyis defined as a mapping of application functionality to acceptableworkload (typically in terms of resource usage or performance). In arepresentative embodiment, a set of application “usage profiles” (or“profiles”) are generated (or are provided from a source of suchinformation).

Typically, a profile comprises a set of information, which may bedefined as a set of XML-encoded data sets contained in a text file. FIG.6 illustrates a representative profile. A profile 600 typicallycomprises the following set of information, e.g., encoded as ASCIIstring values): a request type 602, one or more request variables 604,one or more constraints 606, one or more request mappings 608, and oneor more actions 610. A request type defines a request associated with anapplication or application instance, one or more other requests orrequest types that may be combined with the request, and the like. Arequest variable 604 may have one or more different attributes, such asa type of payload, a file size or type, source, time, etc. A constraint606 represents acceptable workload in response to a particular request(or request combination). Typically, a constraint is a maximum permittedworkload for the application, wherein the permitted workload may bedefined by some attribute or characteristic. In certain circumstances,such as where the constraint is applied across multiple requests, italso may contain a notion of time. Some representative constraints (fora single request) may be: response size, number of triggered applicationoperations, zip file expansion size, and the like.

A “request mapping” 608 maps a request variable to a constraintdirectly, or indirectly (e.g., by calculating a value that can becompared to the constraint). The following are some representativerequest mappings: looking at a request variable to determine a size of aresponse (e.g., a list or file size(s) to be downloaded), looking at arequest variable to determine a number of internal operations triggered(e.g., where a payload defined using a notation such as JSON can be usedto trigger multiple backend operations), looking at a request variableto calculate a cost of internal operations triggered in terms of CPUusage, disk I/O (e.g., where the payload can trigger multiple backendoperations), and so forth. When a request mapping triggers a constraint,one or more of the defined actions 610 are then taken. Thus, theapplication profile defines how a request can be mapped to a workload(the constraint) to determine whether or not the request is withinpolicy. The above-describes request mapping(s) and constraint(s) aremerely representative, and functions (e.g., Boolean or other operations)that combine one or more may be configured. In addition, one or morerequest mappings or constraints may be tied to occurrence of a givenadditional condition or occurrence.

The one or more actions 610 may include action types, and actionparameters. An action type is an action to return if a constraint in theprofile is triggered (fired). Preferably, the action is read from theprofile and returned by default without interruption. An actionparameter (e.g., a number of seconds to delay for a request delay actiontype) is applied to an action type. Preferably, the action parameter isalso returned from the profile without interruption.

The particular nomenclature and syntax of the application profile is notintended to be limiting, as of course other formats and phrasing may beused without altering the basic principles described above. One or moreof the defined attributes also may be combined or supplemented withadditional information or conditions.

Preferably, a user interface includes a configuration tool (e.g., anetwork-accessible set of pages) by which a permitted user configures anapplication profile such as described above. There may be a set ofdefault application profiles for one or more use case scenarios, and aparticular tenant may have access to different set(s) of profiletemplates depending, for example, on the customer's status (e.g., gold,silver or bronze level). Certain fields in an application profiletemplate may be masked or inaccessible for certain persons or entities.Thus, there may be different application profile templates that areaccessible for different users, such as administrators, tenants, tenantprospects, other third parties, and the like. An application profile maybe static or dynamic, and it may be pre-configured or configuredmanually, automatically or programmatically.

FIG. 7 illustrates a representative pre-processing proxy 700.Preferably, the usage monitor provides a set of APIs and processingcomponents that include the following: initialization 702, applicationprofile update 704, termination API 706, allow request determinationcomponent 708, and logging API 710. The initialization API 702 causesthe pre-processing proxy to be initialized. Upon initialization,preferably the proxy reads all application profiles that have beenconfigured and/or are retrieved to the proxy. The update applicationprofile API 704 causes all application profiles to be re-read and tobecome current. The termination API 706 terminates the proxy operation.The allow request determination component 708 receives the one or moreapplication requests as inputs, and returns the corresponding actiontype and action parameter, depending on the analysis. Preferably, theallow request determination component 708 is called before everyapplication request is processed. During this processing, the proxychecks the applicable constraints for the application profile(s) atissue and, if any constraint fires, the API returns the correspondingaction type and/or action parameter. In this manner, the proxydetermines whether the request(s) can be mapped to the workloadconstraint(s) and thus whether the request(s) are within policy for theapplication profile. Preferably, the logging API 710 is called afterevery request completes to log the results of this processing.

As noted above, preferably the proxy (through the allow requestdetermination component 708) performs processing on the request toanalyze how the request will impact resource workload. The nature andscope of this analysis will depend on the request itself, but typicallythe analysis involves the proxy determining the processing and storageresources that are anticipated to be impacted by the request. Theanalysis may involve the pre-processing proxy starting one or moreexecution threads, allocating memory, making simulated API calls,unzipping files, performing substantive analysis on files and data,etc., to evaluate the anticipated application workload if the request ispermitted to proceed.

The profile generator, proxy and DoS action framework is not limited toenforcing a single fixed profile per application. A given applicationprofile may differ from another application profile with respect to oneor more of the following: request, request variables(s), requestmapping(s), constraint(s), or action(s). Further, more than oneapplication profile may be applied to a given request and/or applied toa request for a given time interval. There may be different levels ofconstraints applied for shorter durations (e.g., a few seconds) versuslonger durations (e.g., an hour) Or, different actions may be applied todifferent limits. If a constraint in more than one profile fires for arequest, the action type (and corresponding action parameter, if any)returned preferably is a highest one (in an ASCII sort order forexample). This type of flexibility enables applications that use theproxy (and its APIs) a simple and effective way to create levels ofaction types without the proxy having to interpret/manage them.

The pre-processing (or an instance thereof) may be implemented insoftware (as a computer program) executing in a hardware processor. Oneor more data structures associated therewith store the applicationprofiles or data therein. A database may be used to store applicationprofile data in any convenient manner. In one embodiment, theapplication profile data and the application profiles are stored in ahash table that is keyed by a request identifier with zero or one entryper key. A linked list (with a first entry being the oldest) may then beassociated with each request entry in the hash table, with one for everyrequest that has been processed, e.g., within a time window or from arequest source. The hash table may be periodically updated (e.g., by abackground daemon) to remove requests from the table, to therebymaintain the size of the table manageable for use in a working memory.

Preferably, the one or more action(s) performed when a constraint isfired will depend on the request and the application. This is a not alimitation, as there may be a pre-configured or pre-defined set (orsequence) of actions that are system-imposed. The service provider mayprovide a set of default action(s) or action sequences, or certainaction(s) or action sequences may be imposed on the consumingapplication(s) by default, manually, automatically or programmatically.Typically, a request has a defined set of one or more actions. Theactions may be implemented all at once, or in some predefined orconfigurable sequence. One such sequence that may be implemented may beas follows: throttling the request, denying the request, restricting therequest to running by itself or with certain defined other requests,etc. Of course, other sequences (or no sequence) may be configured andinstantiated. The particular sequence may also be specified in theprofile.

The mechanism of this disclosure may be implemented with respect to asingle hosted application, or across multiple such applications(operating within the cloud environment concurrently). Typically, atleast first and second tenants will use different application profiles.

FIG. 8 illustrates a representative process flow for the proxy and DoSaction components. As noted above, typically there will be multipleinstances of the proxy, although this is not a requirement. The processassumes that application profiles are defined and the proxyinitialization API has been called. At step 800, a request for anapplication is detected. Based on the request type or some otheridentifier, and before the request is processed in the cloud system, aprofile of the set of application profiles is selected at step 802. Asnoted above, the application profile defines an allowed amount ofacceptable workload, preferably over a given time period (the requesttime window), typically for a given request type. What constitutes anallowed “workload” typically will vary for each application profile, andit is defined by the particular constraint or constraints set forth inthe applicable profile. At step 804, a test is performed to determinewhether the request is permitted to access the application (e.g., basedon the one or more constraints in the selected profile). If the outcomeof the test at step 804 indicates that the request should be permitted(because some constraint in the application profile is not yettriggered), the routine continues at step 806 to allow the request. Asdescribed above, the constraint may be of various types. If, however,the outcome of the test at step 804 is negative, an action is determinedat step 808, using the action data specified in the profile. At step810, the DoS action component takes the action based on the action datareturned, and the process terminates with respect to the request.

The following provides several use cases illustrating how the basictechnique operates. Assume that the application profile identifies thatan acceptable workload for a given request type is to allow xtransaction from a given client or IP address in time y. As describedabove, the profile may also specify how a payload of the request typemaps to a number of operations and specifies limits, e.g., a JSONpayload may map to multiple API requests. The pre-processing proxyperforms an analysis on each request to determine if the requestcomplies with such application profile(s). Thus, the proxy might checkthe JSON payload to determine the number of operations that areanticipated to be performed (e.g., an XML payload creates 50 activitieswith each activity resulting in 50 events). In operation, and asdescribed above, the pre-processing proxy analysis may involve aseparate processing, such as unzipping suspect files in a separateexecution thread to determine if they will be a drain on memory whendecompressed at the application. The proxy may also implement logic tocombine requests based on different criteria (e.g., requests originatingfrom a same IP address or client) and then determine whether thecombined requests trigger some criteria in an application profile. Thecriteria may be varied and may include, request source, request timing,an identifier associated with the request accessor, or the like. Theapplication profile typically provides details of what action to takefor different scenarios detected, e.g., where the number of potentialAPI calls is >x, then throttle the request; or, if the number ofpotential API calls is greater than an upper threshold, reject therequest.

Thus, assume that a request calls REST-based APIs with JSON payload. Thepre-processing proxy would parse on the JSON file and calculate a numberof resulting thread or API calls that would be triggered and decidewhether to proceed. That decision need not necessarily be an atomicdecision and may just include total workload triggered against theapplication within a time period, or total workload by a particularcalling identity or IP address.

As noted above, a given application profile may also define one or moreconstraints in the context of multiple requests (taken in combination).To address multiple requests, the pre-proxy processor includes theability to link requests based on some defined criteria, such asauthenticated user (e.g., a session identifier, or equivalent), IPaddress of the requesting machine, or the like. The application profilealso is provisioned to define application workload based either on acombination of different requests, on a series of the same request oversome specified time period, or the like. The example scenario aboveshows how a series of the same JSON request can violate a constraint.Preferably, the proxy maintains a running total of requests, as well asthe results of mapping each request to a constraint, so that multiplerequests can be linked as defined in the profile and the workload(s)analyzed against the constraint(s).

The approach herein is quite flexible and may have numerous variants.Thus, for example, the decision regarding which particular applicationprofile to select from the set of application profiles may depend on anidentity or, or some other characteristic associated with, theparticular tenant, or a determination of which tenant a particularaccessor is associated. The approach also preferably includes aconfiguration management sub-system (or leverages an existing one in thecloud infrastructure) to add new application profile(s) or to add newtypes of application profile constraints as different or new types ofapplications or accessors start to use the infrastructure. Themanagement sub-system may also provide for the specification andenforcement of actions to prevent or mitigation resourceover-utilization other than just providing an escalating set of actions(such as described above). Other actions may include, withoutlimitation, pushing requests into a waiting queue before allowingaccess, restricting a number of self-service trials, restricting accessfrom a given number of indirect users (i.e., those that third partieswho use products through the hosted application), and the like

The mechanism, which is designed to pre-process requests, may beimplemented alone or in combination with a profile-based system thatuses accessor profiles and that operates as requests are being actuallycarried out in the shared infrastructure.

The profile generation, proxy and DoS action functions may be part of anexisting cloud management functionality (e.g., BSS, OSS, or otherdirectory service), or they may be an extension or adjunct to some othercloud function, operation or mechanism.

The techniques described herein provide significant advantages over theprior art by preventing application-level denial-of-service attacks in amulti-tenant collaborative SaaS system. Using the approach, legitimateusers and usage of the service may continue with acceptable responsetime and transaction throughput rates. The approach further ensures thatdenial-of-service attacks do not lead to rejection of service forlegitimate users or otherwise create business-impacting supportsituations. The techniques enable detection and prevention of abusiveusage of cloud resources, as well as prevention of subsequentdenial-of-service attempts by intentional abusers. The mechanism isdynamic and can readily adapt to new behaviors (both good and bad), andit is flexible and thus able to allow for new, specifically allowableuse cases (e.g., when an application in the SaaS business decides toallow certain behavior). In summary, the approach herein thus provides ageneral service to allow applications to avoid abuse of their service inthe context of a collaborative, multi-tenant SaaS system.

One or more aspects of the described functionality described above maybe implemented as a standalone approach, e.g., a software-based functionexecuted by a processor, although the preferred implementation is as amanaged service (including as a web service via a SOAP/XML interface).The particular hardware and software implementation details describedherein are merely for illustrative purposes are not meant to limit thescope of the described subject matter.

More generally, computing devices within the context of the disclosedsubject matter are each a data processing system (such as shown in FIG.2) comprising hardware and software, and these entities communicate withone another over a network, such as the Internet, an intranet, anextranet, a private network, or any other communications medium or link.The applications on the data processing system provide native supportfor Web and other known services and protocols including, withoutlimitation, support for HTTP, FTP, SMTP, SOAP, XML, WSDL, UDDI, andWSFL, among others. Information regarding SOAP, WSDL, UDDI and WSFL isavailable from the World Wide Web Consortium (W3C), which is responsiblefor developing and maintaining these standards; further informationregarding HTTP, FTP, SMTP and XML is available from Internet EngineeringTask Force (IETF). Familiarity with these known standards and protocolsis presumed.

Still more generally, the subject matter described herein can take theform of an entirely hardware embodiment, an entirely software embodimentor an embodiment containing both hardware and software elements. In apreferred embodiment, the inactivity tracking and managementfunctionality is implemented in software, which includes but is notlimited to firmware, resident software, microcode, and the like.Furthermore, denial-of-service mechanism and/or particular functionstherein can take the form of a computer program product accessible froma computer-usable or computer-readable non-transitory medium providingprogram code for use by or in connection with a computer or anyinstruction execution system. For the purposes of this description, acomputer-usable or computer readable medium can be any apparatus thatcan contain or store the program for use by or in connection with theinstruction execution system, apparatus, or device. The medium can be anelectronic, magnetic, optical, electromagnetic, infrared, or asemiconductor system (or apparatus or device). Examples of acomputer-readable medium include a semiconductor or solid state memory,magnetic tape, a removable computer diskette, a random access memory(RAM), a read-only memory (ROM), a rigid magnetic disk and an opticaldisk. Current examples of optical disks include compact disk-read onlymemory (CD-ROM), compact disk-read/write (CD-R/W) and DVD. Storagedevices may include removable media, such as SD cards. Thecomputer-readable medium is a tangible, non-transitory item. Any ofthese devices can be used to store the authentication or other statusinformation described above.

Any cloud datacenter resource may host denial-of-service mechanism orits components as described herein.

The computer program product may be a product having programinstructions (or program code) to implement one or more of the describedfunctions. Those instructions or code may be stored in a computerreadable storage medium in a data processing system after beingdownloaded over a network from a remote data processing system. Or,those instructions or code may be stored in a computer readable storagemedium in a server data processing system and adapted to be downloadedover a network to a remote data processing system for use in a computerreadable storage medium within the remote system.

In a representative embodiment, the denial-of-service mechanism isimplemented in a special purpose computing platform, preferably insoftware executed by one or more processors. The software is maintainedin one or more data stores or memories associated with the one or moreprocessors, and the software may be implemented as one or more computerprograms. Collectively, this special-purpose hardware and softwarecomprises the functionality described above.

Further, the pre-processing and denial-of-service preventionfunctionality provided herein may be implemented as an adjunct orextension to an existing cloud compute management solution.

The techniques described herein may be used in any virtual client-serverenvironments.

While the above describes a particular order of operations performed bycertain embodiments of the invention, it should be understood that suchorder is exemplary, as alternative embodiments may perform theoperations in a different order, combine certain operations, overlapcertain operations, or the like. References in the specification to agiven embodiment indicate that the embodiment described may include aparticular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic.

Finally, while given components of the system have been describedseparately, one of ordinary skill will appreciate that some of thefunctions may be combined or shared in given instructions, programsequences, code portions, and the like.

Having described our invention, what we claim is as follows:
 1. A methodof minimizing application-level denial-of-service attacks with respectto compute resources in a multi-tenant shared infrastructure, the methodcomprising: profiling anticipated application behavior in response toone or more requests to generate an application profile having at leastone workload constraint, the application profile including a mapping ofa request type to a workload and a workload limit; upon receipt of arequest, and prior to execution, determining whether execution of therequest satisfies the at least one workload constraint in theapplication profile by evaluating whether the request is predicted toresult in a workload that exceeds the workload limit; responsive todetermining whether execution of the request satisfies the at least oneworkload constraint in the application profile, taking a given action;wherein the steps are carried out in software executing in a hardwareelement.
 2. The method as described in claim 1 wherein the given actionis one of: throttling execution of the request, rejecting the request,and providing a given notification.
 3. The method as described in claim1 wherein determining whether execution of the request satisfies the atleast one workload constraint allocates processing or storage in themulti-tenant shared infrastructure to simulate how execution of therequest affects availability of the compute resources.
 4. The method asdescribed in claim 1 wherein the anticipated application behaviorcharacterizes legitimate behavior for each of one or more tenantapplications in the multi-tenant shared infrastructure.
 5. The method asdescribed in claim 4 wherein the anticipated application behavior isprofiled as a machine-encoded data set.
 6. The method as described inclaim 1 wherein the determining step executes a number of applicationoperations in a separate execution thread to determine if the number ofapplication operations in the workload exceeds the workload limit. 7.Apparatus, comprising: a processor; computer memory holding computerprogram instructions that when executed by the processor minimizeapplication-level denial-of-service with respect to compute resources ina multi-tenant shared infrastructure, the computer program instructionscomprising: program code to profile anticipated application behavior inresponse to one or more requests to generate an application profilehaving at least one workload constraint, the application profileincluding a mapping of a request type to a workload and a workloadlimit; program code operative upon receipt of a request, and prior toexecution, to determine whether execution of the request satisfies theat least one workload constraint in the application profile byevaluating whether the request is predicted to result in a workload thatexceeds the workload limit; and program code, responsive to determiningwhether execution of the request satisfies the at least one workloadconstraint in the application profile, to take a given action.
 8. Theapparatus as described in claim 7 further including program to take thatgiven action that is one of: throttling execution of the request,rejecting the request, and providing a given notification.
 9. Theapparatus as described in claim 7 wherein the program code to determinewhether execution of the request satisfies the at least one workloadconstraint includes program code to allocate processing or storage inthe multi-tenant shared infrastructure to simulate how execution of therequest affects availability of the compute resources.
 10. The apparatusas described in claim 7 wherein the anticipated application behaviorcharacterizes legitimate behavior for each of one or more tenantapplications in the multi-tenant shared infrastructure.
 11. Theapparatus as described in claim 10 wherein the anticipated applicationbehavior is profiled as a machine-encoded data set.
 12. The apparatus asdescribed in claim 7 wherein the program code to evaluate executes anumber of application operations in a separate execution thread todetermine if the number of application operations in the workloadexceeds the workload limit.
 13. A computer program product in anon-transitory computer readable medium for use in a data processingsystem, the computer program product holding computer programinstructions which, when executed by the data processing system,minimize application-level denial-of-service with respect to computeresources in a multi-tenant shared infrastructure, the computer programinstructions comprising: program code to profile anticipated applicationbehavior in response to one or more requests to generate an applicationprofile having at least one workload constraint, the application profileincluding a mapping of a request type to a workload and a workloadlimit; program code operative upon receipt of a request, and prior toexecution, to determine whether execution of the request satisfies theat least one workload constraint in the application profile byevaluating whether the request is predicted to result in a workload thatexceeds the workload limit; and program code, responsive to determiningwhether execution of the request satisfies the at least one workloadconstraint in the application profile, to take a given action.
 14. Thecomputer program product as described in claim 13 further includingprogram to take that given action that is one of: throttling executionof the request, rejecting the request, and providing a givennotification.
 15. The computer program product as described in claim 13wherein the program code to determine whether execution of the requestsatisfies the at least one workload constraint includes program code toallocate processing or storage in the multi-tenant shared infrastructureto simulate how execution of the request affects availability of thecompute resources.
 16. The computer program product as described inclaim 13 wherein the anticipated application behavior characterizeslegitimate behavior for each of one or more tenant applications in themulti-tenant shared infrastructure.
 17. The computer program product asdescribed in claim 16 wherein the anticipated application behavior isprofiled as a machine-encoded data set.
 18. The computer program productas described in claim 13 wherein the program code to evaluate executes anumber of application operations in a separate execution thread todetermine if the number of application operations in the workloadexceeds the workload limit.